From this document (TOP SECRET//SI//NOFORN): https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf
version 1.0 said: | 8. (S//NF) [...] If RC4 is used, at least the first 1024 | bytes of the cryptostream must be discarded and may not be used and that is exactly what FreeBSD's libc and in-kernel arc4random implementations do. version 1.1 received input from another agency: | (C//SI//REL FVEY) Coordinated with NSA/CES. and a new requirement was introduced: | (TS//SI) 5.9: Added additional information about proper use of RC4. | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072 | bytes of the cryptostream must be discarded and may not be used. I think you should take that to mean, the NSA has, or suspects someone else to have, a practical attack on RC4 when being used as FreeBSD does currently. The document seems 4-5 years old already as it prohibits use of RC4 at all from 2014 onward. Please consider switching to ChaCha20 in the long term (kern/182610), but right now, at least increase the amount of early keystream that is discarded. Many thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru a/head/lib/libc/gen/arc4random.c b/head/lib/libc/gen/arc4random.c --- a/head/lib/libc/gen/arc4random.c 2016-10-12 14:56:14.834409000 +0100 +++ b/head/lib/libc/gen/arc4random.c 2017-03-13 21:57:16.532833171 +0000 @@ -160,7 +160,7 @@ * Discard early keystream, as per recommendations in: * "(Not So) Random Shuffles of RC4" by Ilya Mironov. */ - for (i = 0; i < 1024; i++) + for (i = 0; i < 3072; i++) (void)arc4_getbyte(); arc4_count = 1600000; } diff -Nru a/head/sys/libkern/arc4random.c b/head/sys/libkern/arc4random.c --- a/head/sys/libkern/arc4random.c 2016-11-25 17:20:23.862538000 +0000 +++ b/head/sys/libkern/arc4random.c 2017-03-13 21:58:45.985402563 +0000 @@ -84,11 +84,11 @@ /* * Throw away the first N words of output, as suggested in the * paper "Weaknesses in the Key Scheduling Algorithm of RC4" - * by Fluher, Mantin, and Shamir. (N = 256 in our case.) + * by Fluher, Mantin, and Shamir. (N = 768 in our case.) * * http://dl.acm.org/citation.cfm?id=646557.694759 */ - for (n = 0; n < 256*4; n++) + for (n = 0; n < 768*4; n++) arc4_randbyte(arc4); mtx_unlock(&arc4->mtx);
signature.asc
Description: Digital signature
